All Products
Search

This Product

    Simple Log Service:Usage notes

    Document Center

    Simple Log Service:Usage notes

    Last Updated:Feb 29, 2024

    This topic describes the limits and billing of Log Audit Service.

    Limits

    • Storage methods and regions

      Important

      Before you use Log Audit Service for centralized storage or regional storage, you must evaluate whether the region in which you want to store logs meets the security requirements of related laws and regulations.

      • Centralized storage

        Logs that are collected from multiple Alibaba Cloud accounts across different regions are stored in a central project of a central Alibaba Cloud account. A central project can reside in the following regions.

        Note

        When you change the region for a central Alibaba Cloud account, Simple Log Service creates a central project in the new region. The original project is not deleted.

        • Chinese mainland: China (Qingdao), China (Beijing), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), and China (Hong Kong)

        • Outside the Chinese mainland: Singapore, Japan (Tokyo), Germany (Frankfurt), and Indonesia (Jakarta)

      • Regional storage

        For Server Load Balancer (SLB), Application Load Balancer (ALB), Object Storage Service (OSS), PolarDB-X 1.0, Virtual Private Cloud (VPC), and Alibaba Cloud DNS (DNS), Log Audit Service stores the logs collected from multiple Alibaba Cloud accounts in the projects that belong to the central Alibaba Cloud account and reside in the same regions as these cloud services. For example, the access logs that are collected from an OSS bucket in the China (Hangzhou) region are also stored in a project in the China (Hangzhou) region.

      • Synchronization to a central project

        For SLB, ALB, OSS, PolarDB-X 1.0, VPC, and DNS, if regional storage is used, Log Audit Service can synchronize logs from the Logstores of regional projects to the Logstores of a central project. This way, you can query, analyze, and visualize the logs in a more efficient manner. You can also configure alerts for the logs and perform secondary development.

        The synchronization process is based on the data transformation feature of Simple Log Service.

    • Resources

      • A central Alibaba Cloud account has only one functioning central project. The name of the central project is in the following format: slsaudit-center-Central Alibaba Cloud account ID-Region specified for the central project. Example: slsaudit-center-117938634953****-cn-beijing. You cannot delete a central project in the Simple Log Service console. If you want to delete a central project, you can use Alibaba Cloud CLI or call API operations.

      • For SLB, ALB, OSS, PolarDB-X 1.0, VPC, and DNS, logs can be stored in multiple regional projects. The name of a regional project is in the following format: slsaudit-region-Central Alibaba Cloud account ID-Source region for collection. Example: slsaudit-region-117938634953****-cn-beijing. You cannot delete a regional project in the Simple Log Service console. If you want to delete a regional project, you can use the Alibaba Cloud CLI or call API operations.

      • If you enable log collection for a cloud service, Log Audit Service creates a dedicated Logstore. You can manage a dedicated Logstore in the same way that you manage other Logstores. A dedicated Logstore has the following limits:

        • To prevent data tampering, Simple Log Service allows only the specified service to write logs to the dedicated Logstore. You cannot modify or delete indexes in the Logstore.

        • You can modify the retention period of logs or delete the dedicated Logstore only on the Global Configurations page of Log Audit Service or by calling API operations.

        • For SLB, ALB, OSS, PolarDB-X 1.0, VPC, and DNS, if synchronization to central project is enabled, data transformation jobs are generated in the regional projects.

          • The data transformation job that is generated for OSS logs is named Internal Job: SLS Audit Service Data Sync for OSS Access. The data transformation job that is generated for SLB logs is named Internal Job: SLS Audit Service Data Sync for SLB. The data transformation job that is generated for ALB logs is named Internal Job: SLS Audit Service Data Sync for ALB. The data transformation job that is generated for PolarDB-X 1.0 logs is named Internal Job: SLS Audit Service Data Sync for DRDS. The data transformation job that is generated for VPC logs is named Internal Job: SLS Audit Service Data Sync for VPC. The data transformation job that is generated for DNS logs is named Internal Job: SLS Audit Service Data Sync for DNS.

          • You can stop the data transformation jobs only on the Global Configurations page of Log Audit Service or by calling API operations.

          • If you enable synchronization to central project, the logs in the Logstores of the regional projects are synchronized to the dedicated Logstores of the central project. You can no longer manage the Logstores of the regional projects. However, you can perform operations such as queries on the Logstores of the central project.

    • Permissions

      If you want to use Log Audit Service to collect audit logs of Kubernetes clusters, events of K8s Event Center, and Ingress access logs, you must gain visibility into the following limits on permissions:

      • Log Audit Service allows you to collect Kubernetes logs only from a central Alibaba Cloud account. If multi-account collection is configured, you cannot collect Kubernetes logs from a different Alibaba Cloud account than the central Alibaba Cloud account.

      • Log Audit Service collects Kubernetes logs based on the data transformation feature. If you want to use Log Audit Service to collect Kubernetes logs, you must grant permissions to the central Alibaba Cloud account based on the descriptions in following table.

        Item

        Central Alibaba Cloud account: not upgraded

        Central Alibaba Cloud account: upgraded

        Role of the current central Alibaba Cloud account

        sls-audit-service-monitor

        AliyunServiceRoleForSLSAudit

        Additional permissions

        The sls-audit-service-monitor role must have the AliyunLogAuditServiceMonitorAccess permission and the custom permission AliyunLogAuditServiceK8sAccess. 

        {
    "Version": "1",
    "Statement": [
        {
            "Action": "log:*",
            "Resource": [
                "acs:log:*:*:project/k8s-log-*"
            ],
            "Effect": "Allow"
        }
    ]
}

        Only the permissions of the AliyunServiceRoleForSLSAudit role are required. No additional permissions are required.

    • Data retention periods in days

      • In Log Audit Service, the audit logs, slow query logs, and error logs of ApsaraDB RDS instances are stored in the same Logstore named rds_log. If log collection is enabled for all types of logs but the data retention periods are different, the largest value of the data retention periods is used.

      • In Log Audit Service, the audit logs, slow query logs, and error logs of PolarDB for MySQL clusters are stored in the same Logstore named polardb_log. If log collection is enabled for all types of logs but the data retention periods are different, the largest value of the data retention periods is used.

      • In Log Audit Service, the traffic logs of the Internet firewall and VPC firewalls in Cloud Firewall are stored in the same Logstore named cloudfirewall_log. If log collection is enabled for both types of traffic logs but the data retention periods are different, the larger value of the data retention periods is used.

      • In Log Audit Service, the access logs of Anti-DDoS Pro, Anti-DDoS Premium, and Anti-DDoS Origin are stored in the same Logstore named ddos_log. If log collection is enabled for all types of access logs but the data retention periods are different, the largest value of the data retention periods is used.

      • In Log Audit Service, the audit logs of Kubernetes clusters and the events of K8s Event Center are stored in the same Logstore named k8s_log. If log collection is enabled for the audit logs and events but the data retention periods are different, the larger value of the data retention periods is used.

      • In Log Audit Service, the change logs and resource non-compliance logs of Cloud Config are stored in the same Logstore named cloudconfig_log. If log collection is enabled for both types of logs but the data retention periods are different, the larger value of the data retention periods is used.

      Note

      The preceding list describes the types of logs whose data retention periods are affected by each other. If you enable both log collection and intelligent tiered storage for these types of logs, the hot retention period of the logs is the largest value of the hot retention periods for these types of logs. If you enable log collection for all these types of logs but enable intelligent tiered storage only for some types of logs, intelligent tiered storage is automatically disabled for all the logs.

      For example, if you enable log collection and intelligent tiered storage for the audit logs and error logs of ApsaraDB RDS instances, the larger value of the hot retention periods for the audit logs and error logs is used. If you enable log collection for the audit logs and error logs of ApsaraDB RDS instances but enable intelligent tiered storage only for the audit logs, intelligent tiered storage is disabled for the rds_log Logstore in which the logs are stored.

    • Cloud Config

      • Log Audit Service requires the configuration information that is provided by Cloud Config. You must activate Cloud Config in the Cloud Config console and enable the monitoring of all resources.

      • If you want to collect, store, or query Cloud Config logs in Log Audit Service, you must grant Simple Log Service the permissions to extract the logs that are recorded in Cloud Config. After Simple Log Service is granted the permissions, your Cloud Config logs are automatically pushed to Simple Log Service.

      • If you collect logs from multiple accounts in resource directory mode, Log Audit Service automatically activates Cloud Config for all members configured in the resource directory, and integrates Cloud Config with Simple Log Service after the central account is granted the required permissions. If you collect logs from multiple accounts in custom authentication mode, other members must be granted the required permissions after the central account is granted the required permissions. For more information, see Use a custom policy to authorize Simple Log Service to collect and synchronize logs.

    • Intelligent tiered storage

      The dedicated Logstores of Log Audit Service support the intelligent tiered storage feature. Compared with the hot storage tier, the Infrequent Access (IA) and Archive storage tiers provide lower storage costs and lower query and analysis performance. The performance of other features, such as alerting, visualization, transformation, and shipping, is not affected. For more information, see Enable intelligent tiered storage.

      Note

      Log Audit Service allows you to enable the intelligent tiered storage feature in the following regions: China (Qingdao), China (Beijing), China (Hohhot), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Hong Kong), and Singapore.

      You can enable the intelligent tiered storage feature on the Global Configurations page of Log Audit Service. The hot data retention period must be greater than or equal to 7 days and cannot exceed the current data retention period. For example, if the data retention period of a central project is 180 days and the hot data retention period is 30 days, hot data whose retention period exceeds 30 days is stored in the IA or Archive storage tier.

    • Data encryption

      Log Audit Service supports data encryption by using the built-in service keys of Simple Log Service instead of Bring Your Own Key (BYOK) keys. The built-in service keys of Simple Log Service support the Advanced Encryption Standard (AES) and SM4 encryption algorithms. For more information, see Data encryption.

      After you enable data encryption, Simple Log Service automatically encrypts the dedicated Logstores of cloud services for which log collection is enabled. The dedicated Logstores of central projects and regional projects are included. For more information, see Enable encryption.

    • Indexes

      Log Audit Service supports automatic updates of indexes. You can also manually change indexes. For more information, see Create indexes.

      If the system prompts that This Logstore is dedicated to the Log Audit Service application. You cannot modify the index attributes of the Logstore or disable indexing. when you manually change an index, we recommend that you reconfigure Log Audit Service by performing the following operations: Click Modify on the Global Configurations page of Log Audit Service, reconfigure Log Audit Service, and then click OK.

      Important

      If you manually change an index, related built-in dashboards and built-in alerts may be unavailable. Proceed with caution.

    Billing

    • Simple Log Service

      You must activate Simple Log Service and enable Log Audit Service for the central Alibaba Cloud account that is used to collect logs from other Alibaba Cloud accounts. You do not need to activate Simple Log Service for other Alibaba Cloud accounts. However, if the cloud services within other Alibaba Cloud accounts rely on Simple Log Service, you must activate Simple Log Service for these accounts. No fees for Simple Log Service are generated in these accounts. When you use Log Audit Service, you are charged for the data storage, read and write traffic, and data transformation based on the pay-as-you-go billing method. For more information, see Billable items of pay-by-feature.

      Important

      • For SLB, ALB, OSS, PolarDB-X 1.0, VPC, DNS, and Container Service for Kubernetes (ACK), if synchronization to central project is enabled, the collected logs are synchronized based on the data transformation feature. You are charged for data transformation and cross-network traffic based on the pay-as-you-go billing method. For more information, see Billable items of pay-by-feature.

      • You can use Log Audit Service or a common collection method to collect logs. You are charged when you use any of the two methods. If you use both methods to collect logs, Simple Log Service stores two copies of data. You can use the two copies of data in different scenarios.

        • Log Audit Service: This application supports automated and centralized log collection from cloud services across multiple Alibaba Cloud accounts in real time. The collected logs are used for compliance auditing.

        • Common method: Logs are collected by region and separately managed. The collected logs are used for log analysis. For more information, see Alibaba Cloud service logs.

      You can use free resource quotas or purchase resource plans to offset your fees.

    • Cloud services

      After you enable Log Audit Service in the Simple Log Service console and enable log collection for cloud services, you may be charged additional fees. The fees are included in the bills for the cloud services. The following table describes the cloud services that may generate additional fees.

      Cloud service

      Additional fees

      Web Application Firewall (WAF)

      You are charged for the Log Service for WAF feature that is purchased in the WAF console. For more information about the feature fees, see Billing.

      Security Center (SAS)

      You are charged for the log analysis feature that is enabled in the Security Center console. For more information about the feature fees, see Billing overview.

      Cloud Firewall

      You are charged for the log analysis feature that is enabled in the Cloud Firewall console. For more information about the feature fees, see Billing.

      ApsaraDB RDS

      After you enable the log collection feature for ApsaraDB RDS, the SQL Explorer or SQL Audit feature is automatically enabled on the ApsaraDB RDS instances that meet the requirements. ApsaraDB RDS for MySQL instances that do not run the Basic Edition and ApsaraDB RDS for PostgreSQL instances that run the High-availability Edition are supported. You are charged for the SQL Explorer or SQL Audit feature. For more information about the feature fees, see Billable items.

      Note

      • If you have enabled SQL Explorer Trial Edition for your ApsaraDB RDS instance, Log Audit Service automatically disables SQL Explorer Trial Edition and enables the official edition of the SQL Explorer feature after log collection is enabled.

      • By default, the logs that are generated by the SQL Explorer feature are stored for 30 days. You can change the log retention period in the ApsaraDB RDS console. For more information, see Modify the retention period of SQL audit logs. The log retention period is independent of the data retention period in Log Audit Service that is specified for the audit logs of your ApsaraDB RDS instance. The log retention period and data retention period do not affect each other.

        If the log retention period that you specify in the ApsaraDB RDS console is less than 30 days, the logs cannot be delivered to Simple Log Service. Log Audit Service automatically changes the log retention period to 30 days.

      • If you have stopped collecting the audit logs of your ApsaraDB RDS instance and want to disable the SQL Explorer feature, you must disable the feature in the ApsaraDB RDS console. For more information, see Disable the SQL Explorer feature.

      PolarDB

      After you enable the log collection feature for PolarDB, the SQL Explorer or SQL Audit feature is automatically enabled on the PolarDB clusters that meet the requirements. Only PolarDB for MySQL clusters are supported. You are charged for the SQL Explorer or SQL Audit feature. For more information about the feature fees, see Billable items.

      Note

      • If you have enabled SQL Explorer Trial Edition for your PolarDB for MySQL cluster, Log Audit Service automatically disables SQL Explorer Trial Edition and enables the official edition of the SQL Explorer feature after log collection is enabled.

      • By default, the logs that are generated by the SQL Explorer feature are stored for 30 days. You can change the log retention period in the ApsaraDB PolarDB console. For more information, see Change the retention period of SQL logs. The log retention period is independent of the data retention period in Log Audit Service that is specified for the audit logs of your PolarDB for MySQL cluster. The log retention period and data retention period do not affect each other.

        If the log retention period that you specify in the ApsaraDB PolarDB console is less than 30 days, the logs cannot be delivered to Simple Log Service. Log Audit Service automatically changes the log retention period to 30 days.

      • If you have stopped collecting the audit logs of your PolarDB for MySQL cluster and want to disable the SQL Explorer feature, you must disable the feature in the ApsaraDB PolarDB console. For more information, see Disable the SQL Explorer and Audit feature.

      Anti-DDoS

      You are charged for the log analysis feature that is purchased in the Anti-DDoS Pro console. For more information about the feature fees, see Overview.

      VPC

      When you use flow logs, you are charged Simple Log Service usage fees and log generation fees. For more information, see Billing of flow logs.

      Note

      • You can enable the collection of VPC flow logs by using Log Audit Service or the VPC console. The operations that you perform in Log Audit Service are independent of the operations that you perform in the VPC console. You can enable or disable the collection of VPC flow logs based on your business requirements. These methods are charged separately based on their individual fees.

      • Before you delete a project that is used to store the audit logs of a VPC, you must disable the collection of flow logs for the VPC. Otherwise, the collection of flow logs remains enabled for the VPC after the project is deleted.

      DNS

      For more information about traffic analysis fees, see DNS.